Millions of Android devices vulnerable to new Stagefright exploit

Security researchers have successfully exploited the Android-based Stagefright bug and remotely hacked a phone, which may leave millions devices vulnerable to attack.

Israeli software research company NorthBit claimed it had “properly” exploited the Android bug that was originally described as the “worst ever discovered”.

The exploitation, called Metaphor, is detailed in a research paper (PDF) from NorthBit and also a video showing the exploit being run on a Nexus 5. NorthBit said it had also successfully tested the exploit on a LG G3, HTC One and Samsung Galaxy S5.

Co-founder Gil Dabah told WIRED the exploit could be altered by those wanting to cause more damage. Approximately 36 percent of the 1.4 billion active Android phones and tablets run Android 5 or 5.1, with Dabah warning that devices lacking the latest updates would be vulnerable.

“Our research managed to get it [the attack] to the level of production grade, meaning that everyone – both the bad guys and good guys, or governments – could use our research in order to facilitate it in the wild.”

The Stagefright vulnerability was first highlighted by security firm Zimperium in July 2015. The hack was said to be able to execute remote code on Android devices and could possibly affect up to 95 percent of Android devices.

A second critical vulnerability exploited issues in .mp3 and .mp4 files, which when opened were claimed to be able to remotely execute malicious code, was dubbed Stagefright 2.0 in October.

Stagefright itself is a software library, written in C++, that’s built inside the the Android operating system. The Zimperium researchers said it was susceptible to memory corruption and when a MMS message containing a video was sent to the device it could, if composed in the correct way, activate malicious code inside the device.

Google released a patch for the bug and promised regular security updates for Android phones following the publication of Stagefright’s details. WIRED contacted Google for comment but had not received a response at the time of publication.

The researchers from NorthBit say they have been able to create an exploit that can be used against Stagefright on Android 2.2, 4.0, 5.0 and 5.1. Other versions are not affected. The company’s research paper says it is built onwork from Google itself.

Stagefright

Dabah claims the exploit “depicts a way to bypass” address space layout randomisation (ASLR), a memory protection process. ASLR is present on Android 5.0 and 5.1, but not on 2.2 and 4.0.

“We managed to exploit it to make it work in the wild,” Dabah said. The research paper reads: “Breaking ASLR requires some information about the device, as different devices use slightly different configurations which may change some offsets or predictable addresses locations.

“Using the same vulnerability, it is possible to gain arbitrary pointer read to leak back to the web browser and gather information in order to break the ASLR”.

After bypassing the ASLR the researchers, in their video, show a user opening a link sent in a message before the exploit sends a raft of device data back to the hacker’s computer.

Zuk Avraham, chairman of Zimperium, told WIRED his company had originally developed two working exploits for the first vulnerabilities in Stagefright but NorthBit’s research could result in a situation where Android users were vulnerable.

“I would be surprised if multiple professional hacking groups do not have working Stagefright exploits by now. Many devices out there are still vulnerable, so Zimperium has not published the second exploit in order to protect the ecosystem,” Avraham said.

“NorthBit’s research provides an alternative method to break ASLR by leaking information via mediaserver. The research paper provides enough details for professional hacking groups to complete a fully working and reliable exploit.”